The current Jetspeed security role/group model technically supports a hierarchical relationship.
In practice though, this isn't used really, nor do the j2-admin portlets support it through the UI.
Furthermore, the hierarchical relationship is based on a specific (preferences) hierarchy naming which really doesn't fit well (better said: not at all) with a backend like LDAP.
The current model simply cannot be used with LDAP for using role-group relationships.
A typical use-case requiring a more simple and straighforward solution:
- defining organisation divisions and subdivisions as groups and defining a parent-child relationship between them
- a user belonging to a division group then also belongs to any subdivision group of that division
- the same goes for roles, the user could automatically inherit the roles assigned to the subdivision group.
As AFAIK the hierarchical relationship model isn't used at all right now, this issue will resolve its complexity and limitation by replacing it with "flat" parent-child relationships:
- only support non-hierarchical groups and roles
- allow a group or role needs to be defined as child of another group or role
- just need a security-role-role and security-group-group table (and corresponding LDAP mapping)
- check/enforce no circular references can be created
- adding UI support for this will be rather easy: we already have support for the group-role relationships, this is just more of the same